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Type  Theory,  Computation,  and  Interactive 
Theorem  Proving 

Jeremy  Avigad  and  Robert  Harper 
August  28,  2015 


1  Statement  of  Objectives 

Seminal  contributions  of  mathematical  logic  in  the  twentieth  century  include 
formal  models  of  computation  and  proof.  We  now  know  that  that  mathematical 
proof  can,  in  principle,  be  reduced  to  a  small  number  of  basic  axioms  and  rules, 
and  that  computation  can  be  understood  in  terms  of  a  small  number  of  primitive 
operations.  But  there  is  a  tremendous  gap  between  our  high-level  understanding 
of  algorithms  and  proofs  and  these  low-level  implementations.  This  project 
developed  logical  methods,  centered  on  formal  type  theory,  to  bridge  the  gap. 

Specifically,  the  project  aimed  to  develop  applications  of  logic  and  type  the¬ 
ory  to  the  formal  verification  of  mathematical  knowledge  and  the  development 
of  systems  of  secure  and  flexible  computation.  The  two  are  intimately  related: 
mathematical  formalisms  are  used  to  verify  properties  of  computational  systems, 
and,  conversely,  computation  is  central  to  mathematics.  The  project  combined 
Harper’s  expertise  in  the  formal  semantics  of  computation  and  Avigad’s  exper¬ 
tise  in  interactive  theorem  proving  in  a  synergistic  way.  The  project  was  divided 
into  two  tracks,  corresponding  to  these  two  areas  of  focus. 

The  first  track,  designed  by  Harper,  dealt  with  intuitionistic  type  theory, 
which  is  a  comprehensive  foundation  for  programming  that  integrates  language 
design,  program  development,  and  program  verification.  A  type  is  defined  by 
specifying  its  elements  and  the  ways  in  which  we  may  compute  with  them,  and 
by  specifying  when  two  elements  are  to  be  considered  equal.  A  programming 
language  is,  therefore,  a  collection  of  types  that  comprise  its  computational 
capabilities.  By  the  identification  of  propositions  with  types,  we  obtain  both 
a  computational  interpretation  of  proofs  as  programs,  and  an  integration  of 
verification  with  programming  by  type  checking.  Critical  to  this  integration 
is  the  concept  of  a  dependent  type,  which  allows  for  the  expression  of  precise 
properties  of  programs  and  data.  Harper  pursued  powerful  new  directions  based 
on  these  ideas. 

The  second  track,  designed  by  Avigad,  dealt  with  interactive  theorem  prov¬ 
ing,  an  important  method  of  verifying  complex  mathematical  theorems  and  al¬ 
gorithms.  This  has  further  applications  in  the  verification  of  complex  hardware 
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and  software  systems,  which  are  typically  described  in  mathematical  terms.  Avi- 
gad  contributed  to  the  theoretical  and  practical  understanding  needed  to  provide 
better  automated  support  and  infrastructure  for  interactive  theorem  proving 
systems.  Specifically,  he  contributed  to  contemporary  methods  and  technology 
in  verifying  theorems  of  real  analysis,  measure-theoretic  probability,  algebra, 
and  algebraic  topology,  and  push  the  boundaries  of  what  can  be  achieved  with 
these  methods.  He  also  worked  to  develop  better  decision  procedures  and  search 
procedures,  and  obtain  better  theoretical  and  logical  formulations  of  the  kinds 
of  reasoning  that  are  effective  in  these  domains. 

The  next  two  sections  describe  some  of  the  highlights  of  the  research  carried 
out  in  each  track. 


2  Track  1:  Type  theoretic  foundations 

Harper  participated  in  the  Univalent  Foundations  Program  at  IAS  for  the  devel¬ 
opment  and  application  of  homotopy  type  theory.  Harper’s  student  Kuen-bang 
Hou  worked  on  the  mechanization  of  the  Seifer-van  Kampen  Theorem  and  the 
Blakers-Massey  theorem  in  HOTT,  and  his  student  Carlo  Angiuli  worked  with 
him  and  others  at  the  IAS  on  the  computational  interpretation  of  homotopy 
type  theory.  Harper’s  post-doc  Dan  Licata  co-developed  the  main  results  in  ho¬ 
motopy  theory  as  formulated  in  HoTT.  Harper  also  initiated  investigation  into 
cohomology  in  HOTT  by  Angiuli,  Licata  and  student  Evan  Cavallo.  The  Agda 
library  for  homotopy  type  theory  was  developed  chiefly  by  Angiuli,  Cavallo, 
Hou,  and  Licata. 

Harper,  in  collaboration  with  student  Carlo  Angiuli,  postdoctoral  fellow  Ed¬ 
ward  Morehouse,  and  collaborator  Daniel  Licata,  devised  a  homotopical  theory 
of  revision  control  in  source  code  management  systems.  This  provides  an  ap¬ 
plication  of  homotopy  type  theory  to  a  natural  problem  in  computer  science, 
and  encouraged  the  development  of  an  Agda  library  for  reasoning  about  higher¬ 
dimensional  paths  using  a  type-theoretic  concept  of  a  cube  (heterogeneous  iden¬ 
tification)  formulated  by  Licata.  This  same  library  was  used  by  student  Evan 
Cavallo,  in  collaboration  with  Carlo  Angiuli  and  Harper,  in  the  proof  of  the 
Meyer- Vietoris  Theorem  in  homotopy  type  theory,  an  important  step  in  the  de¬ 
velopment  of  cohomology  in  type  theory.  Harper  and  student  Kuen-Bang  Hou 
developed  a  machine-checked  proof  of  the  equivalence  of  group  actions  and  cov¬ 
ering  spaces  in  homotopy  type  theory,  again  demonstrating  the  simplicity  and 
elegance  of  homotopy  type  theory  for  expressing  and  checking  proofs  of  known 
results  in  algebraic  topology. 

Student  Joe  Tassarotti  developed  a  mechanized  proof  of  the  Read-Copy- 
Update  algorithm  used  in  the  Linux  kernel  using  a  logic  for  reasoning  about 
weak  memory  models  formulated  in  Coq.  The  RCU  algorithm  is  a  very  intricate 
algorithm  relying  on  careful  pointer  manipulation  whose  correctness  relies  on  an 
adversarial  analysis  of  all  possible  concurrency  scenarios.  Doing  so  is  especially 
difficult  when  working  with  modern  computer  architectures  that  provide  only 
very  weak  guarantees  about  how  concurrently  executing  processes  may  view 
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updates  made  by  another.  The  result  represents  a  high-water  mark  in  practical 
verification  of  concurrent  programs  using  mechanized  provers. 


3  Track  2:  Interactive  theorem  proving  and  au¬ 
tomated  reasoning 

3.1  Homotopy  type  theory 

Avigad  participated  in  the  Univalent  Foundations  Program  at  IAS  for  the  de¬ 
velopment  and  application  of  homotopy  type  theory.  He  worked  with  Krzysztof 
Kapulkin  and  Peter  Lumsdaine  to  formalize  properties  of  homotopy  limits  in 
the  Coq  theorem  prover.  In  other  words,  they  developed  an  extensive  theory 
of  categorical  limits  over  diagrams  where  diagram  identities  only  hold  up  to 
homotopy,  rather  than  “on  the  nose.”  This  resulted  in  publication  |15|. 

Avigad  also  advised  two  graduate  students  in  work  on  homotopy  type  the¬ 
ory.  Jakob  von  Raunrer,  an  MS  from  Technische  Universitat  Karlsruhe,  wrote 
his  thesis  under  Avigad’s  supervision  na.  The  thesis  project  consists  of  a  for¬ 
malization  of  results  in  non-abelian  topology,  using  the  Lean  theorem  prover,  in 
the  framework  of  homotopy  type  theory.  The  results  are  especially  notable  for 
the  complexity  of  the  algebraic  structures  he  dealt  with.  Second,  Avigad  has 
served  as  advisor  to  Floris  van  Doom,  who  has  contributed  seminal  results  to 
the  new  interactive  theorem  prover,  Lean,  and  has  begun  to  develop  a  formally 
verified  theory  of  higher- inductive  types  and  reductions  between  them. 

3.2  Polya:  a  heuristic  theorem  prover  for  real-valued  in¬ 
equalities 

Avigad  worked  with  Ph.D.  student  Rob  Lewis,  and  postdoc  Cody  Roux,  to 
develop  new  methods  of  verifying  real-valued  inequalities  automatically.  They 
developed  a  prototype  implementation  in  Python  [8]  (an  expanded  version  of  the 
paper  will  apear  in  an  issue  of  the  Journal  of  Automated  Reasoning  featuring 
the  best  papers  from  that  conference).  Avigad  and  Lewis  have  been  developing 
extensions  to  the  system,  and  have  begun  work  on  a  formal  implementation  in 
the  Lean  theorem  prover  (see  below).  The  system  performed  suprisingly  well 
on  over  4,000  benchmark  problems  developed  by  Andre  Platzer,  in  connection 
with  his  KeyMaera  system  for  verifying  hybrid  systems,  and  will  be  used  as  a 
back-end  to  that  system. 

In  the  spring  of  2015,  Avigad  and  Lewis  visited  Jon  Borwein  (University  of 
Newcastle,  and  the  center  for  Computer- Assisted  Research  Mathematics  and  its 
Applications).  There,  Avigad  delivered  a  series  of  lectures  on  formal  methods 
in  mathematics,  and  Avigad,  Borwein,  and  Lewis  began  to  discuss  ways  of 
incorporating  methods  of  convex  analysis  to  Polya’s  heuristics. 
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3.3  The  Lean  theorem  prover 

Avigad  has  contributed  to  the  development  of  Lean,  a  new  open-source  inter¬ 
active  theorem  prover  developed  under  the  leadership  of  Leonardo  de  Moura 
at  Microsoft  (http://leanprover.github.io/,  see  also  HUES).  He  has  led 
the  development  of  Lean’s  standard  library,  and  has  supervised  student  work 
on  the  project:  the  development  of  the  HoTT  library  by  Floris  van  Doom,  the 
development  of  the  theory  of  ordered  fields  and  the  reals  by  Rob  Lewis,  the 
development  of  the  theory  of  lists  by  undergraduate  student  Parikshit  Khanna 
(IIT  Kanpur),  and  work  on  coinductive  types  by  undergraduate  students  Ken 
Sakayori  (University  of  Tokyo). 

Avigad,  de  Moura,  and  Kong  have  developed  an  online  interactive  theo¬ 
rem  prover  and  have  written  an  online  tutorial  Theorem  Proving  in  Lean  |14| , 
https://leanprover.github.io/tutorial/tutorial.pdf.  Avigad  taught  a 
graduate  seminar  on  the  Lean  in  the  spring  of  2012  (http : //leanprover . 
github .  io/cmu-15815-sl5/)  and  will  teach  an  undergraduate  introduction  to 
logic  using  Lean  in  the  fall  of  2015.  Reaction  to  the  system  and  the  tutorial 
have  been  strongly  positive. 

3.4  Formally  verified  mathematics 

In  addition  to  developing  the  Lean  library,  Avigad  completed  a  formalization  of 
the  central  limit  theorem  with  Johannes  Holzl  and  undergraduate  student  Luke 
Serafin  in  the  Isabelle  proof  assistant.  This  involved,  in  particular,  formaliz¬ 
ing  measure-theoretic  probability  and  properties  of  characteristic  functions  [7] . 
A  large  scale  project  to  formalize  the  Feit-Thompson  theorem,  led  by  George 
Gonthier,  was  completed  in  2012  (Avigad  contributed  on  a  sabbatical  year  in 
France  in  2009-2010),  and  the  report  was  written  and  published  during  the  grant 
period  [3]. 
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